I'm writing an Android application which has a server connection. I would like to authenticate the app's user on the Android device and let the server know this has been done.

Assuming the user has:

entered his/her credentials in the Android device for Google and Facebook (these are the ones I'm currently interested in)

allowed the application to use the stored credentials on the Android device

the application acquired the details (account user and token) from Android's AccountManager successfully

I would like now to correctly and securely let the server know the app on the device has authenticated the user. How can the server validate that this isn't bogus? Is there a way to validate a token with Google and Facebook on a server without requiring user interaction?

Not really. For now I postponed messing with this, but I think the key you get from the phone's AccountManager can be used on the server to validate its authenticity against Google's (or Facebook's) services, but I'm not sure: code.google.com/apis/accounts/docs/OAuth2.html#IA
–
gnobalMar 24 '11 at 13:24

Thanks, but I was looking for a secure way to do this, and any solution that generates device-specific IDs is vulnerable to ID spoofing. We ended up doing a 3-legged sign in process.
–
gnobalJan 22 '13 at 19:07

Although, it might not be a good idea to use your retrieved token and save it, or transmit it to your server, there might be other ways to let your server know that the authentication has completed.

It might not be a fill-proof method, but depending on your use-case, it might work.

AccountManagerFuture interface has a callback isDone(), which says that now you can retrieve your token. That, essentially means, that the authentication has happened, after the user has given the permission for your app to use a specific account.

Else, if you are using AccountManagerCallback for your code, you can know, in code, that authentication has happened, right after you try to retrieve the token for the account.

In either of these cases, you would then have to make a call to your server, letting it know that authentication has happened. I don't really know if you need to send out the token to your server also. But, if you wish, I guess, you could do that.

Thanks for the answer, Kumar. What we ended up doing was a custom 3-legged authentication, where we use a small AppEngine instance that our server communicated with over a trusted channel. In Google I/O 2011 they mentioned this as a way to do it. As far as I know there isn't a supported way.
–
gnobalNov 2 '12 at 13:30

@Kumar i have one doubt regarding this if user will authenticate and sync once on device and than change the password going through the PC then also will it give the success scenario??
–
pyus13Dec 22 '12 at 22:15

The old token would expire eventually, and it would ask the user to update his password. So you wouldn't need to do anything extra. This will be taken care by the account manager automatically.
–
Kumar BibekDec 23 '12 at 4:52

There are a few ways to do this while attempting to make sure its not 'bogus'. One, on initial authentication (where you get the users account info), get their device ID as well as their location (not precise location, but using their IP address you can get a region of sorts). That way, if someone were trying to authenticate with false credentials, it would stop them. I recommend letting the actual user know that someone is attempting to do this by sending them an email. You could also on initial authentication have the user set up a pin or password, which is then saved on the device. Send a hashed version of the pin to the server and check that every time the user authenticates.

I could be completely off by what your trying to accomplish as the description is more psuedo than anything, but i hope this helped